skryApr 12, 2025

“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.

And now attackers are catching on.”

The Rise of Slopsquatting: How #AI Hallucinations Are Fueling... https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks #npm #dev #infosec

Edit: more info: https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/

The Rise of Slopsquatting: How AI Hallucinations Are Fueling...

Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize.

Socket
Show threadSean CollinsApr 12, 2025
@skry I feel like this is could be mitigated with an MCP agent that runs security scans/heuristics against any new dependencies
Show threadDan
@cllns @skry
Apr 12, 2025 at 7:17amWeb